One issue I just ran into is the duplication of the org.jboss.security.{AnybodyPrincipal,AnybodyPrincipal,SimplePrincipal} in the jboss-metadata project. These are Principal implementations that should not be defined by the metadata layer. They really belong in the security project/security aspect project (where they currently are). Removing these means breaking the legacy org.jboss.metadata.BeanMetaData.getMethodPermissions which returns a Set of Principals.

The only way around that is to add a PrincipalFactory api to the metadata project, or add such an interface to the jboss-security-spi and have jboss-metadata depend on that.

Do you think it is better for BeanMetaData.getMethodPermissions to return a set of strings that represent roles rather than a set of principals? Special strings can represent the ANYBODY or NOBODY principals.

Yes, but if we want the existing BeanMetaData api to be backward compatible it needs to keep the set of principals. This is only being used by the Container.getMethodPermissions in the jbossas codebase, so we could argue its not part of the public metadata api, and add the jbossxb principal creation to the ejb container.

I do not think there is any usage of BeanMD.getMethodPermissions in any of our interceptors (which typically inspire custom interceptors). So as you said, this particular method call is not being used external to JBAS official code.